All-In-One Security Plugin Patches Sensitive Data Exposure Vulnerability in Version 5.2.0 – WP Tavern
All-In-One Security (AIOS), a plugin lively on greater than one million WordPress websites, was discovered to be logging plaintext passwords from login makes an attempt within the database and has patched the safety difficulty in model 5.2.0.
In a submit titled “Cleartext passwords written to aiowps_audit_log” printed to the plugin’s help discussion board two weeks and 5 days in the past, @c0ntr07 reported the difficulty:
I used to be completely shocked {that a} safety plugin is making such a fundamental safety 101 error (to not point out being out of compliance with NIST 800-63-3, ISO27000, CIS, HIPAA, GDPR, ….)
How can I cease the logging of clear textual content passwords?
How can this be mounted so we don’t fail the upcoming safety evaluate and audit by our third-party compliance auditors?
A help consultant from AIOS confirmed that it was a recognized bug within the final launch and supplied a growth copy of a zipper file with a repair. It took greater than two weeks for the patch to be printed.
In model 5.2.0, launched on July 10, 2023, AIOS included the next safety updates within the plugin’s changelog:
- SECURITY: Take away authentication knowledge from the stacktrace earlier than saving to the database
- SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
Customers are suggested to replace to model 5.2.0+ instantly in an effort to safe their websites. On the time of publishing, virtually no customers have up to date to five.2.0+, leaving a whole lot of 1000’s of customers who’re operating 5.1.9 nonetheless weak.
“To date the developer haven’t even advised the customers to alter all passwords,” Patchstack CEO Oliver Sild said in response to the difficulty on Twitter. “Because of the scale, we are going to 100% see hackers harvest the credentials from the logs of compromised websites that run (or has run) this plugin.
“We now have additionally despatched out vulnerability alert to all Patchstack customers. Hopefully the Updraft workforce will do the identical and can inform their safety plugin customers to scrub these logs ASAP and ask all the location customers to alter the passwords the place ever they used the identical mixtures.”